How California’s imminent Do Not Track law falls short – and why it matters anyway

In early 2011, Mozilla added a “do not track” feature in its Firefox browser that allowed users to clearly state that they did not want their online activities monitored by Web sites and advertisers.

Other browser vendors soon followed suit, including Microsoft, Apple and Google, seemingly handing consumers a simple means to protect their information that would persist no matter what new collection technology and techniques the industry invented.

But more than two-and-a-half years later, flipping on the option still offers scant protection for consumers. Not only can companies freely ignore it — they don’t even have to disclose whether or not they ignore it.

At least the latter, however, might soon change. A do not track transparency bill has landed on Gov. Jerry Brown’s desk and indications suggest he will sign it before the looming deadline in mid-October.

AB 370 passed unanimously in the California Assembly and was sponsored by the governor’s political ally, Attorney General Kamala Harris.

If Gov. Brown signs the bill, introduced by Assemblymember Al Muratsuchi (D-Torrance), it’s likely to be portrayed as a bigger victory for privacy than it actually is — the latest indication of California boldly leading the way on online privacy.

It’s not that. But it is a small and solid step forward.

The law amends an existing statute requiring online companies that collect personally identifiable information to “conspicuously post” their privacy policies.

Going forward, those policies would have to include how the sites respond to do not track requests or similar mechanisms. In another update — that is only a decade or so overdue — the site would also have to state whether or not third parties can collect identifiable information about users. Those parties would include the dozens or even hundreds of ad networks like TribalFusion, Facebook’s FBX and Google’s AdSense that inconspicuously track activity across a vast array of sites.

Strictly speaking, companies would only have to disclose this information to California residents, but since no company will be eager to craft and display varying policies for varying states, it would effectively serve as a national law (if not a global one).

To be clear, a real victory here would be to take the common sense step of requiring companies to abide by the explicitly stated privacy preferences of their users. But to date that goal has proven political unpalatable, amid stiff ad and tech industry opposition.

Gov. Jerry Brown is expected to sign AB 370 into law.

A committee of the World Wide Web Consortium (W3C), an online standards body, has been working for years to create an agreeable definition of do not track. But the parties have failed to agree on both basic and complicated technical questions. Participants have peeled off in frustration in recent months and days, most recently including the Digital Advertising Alliance.

In contrast, the relevant trade groups are officially unopposed to AB 370 — though not in support of it.

That in itself — the lack of usual hyperbole about the bill bringing down the online economy — is the most obvious sign it doesn’t do enough. But AB 370 remains important for a few reasons.

First: While it is abundantly clear that few consumers carefully read the privacy polices of the sites and apps they use, tech journalists do and privacy advocates do. So you can be sure that if this law goes into effect, stories will follow emphasizing that big reputable companies have made the conscious decision to ignore the wishes of their users.

I certainly look forward to writing some.

“Information on who does what will move into the public eye,” said Joanne McNabb, director of privacy education and policy in the California Attorney General’s office. “The goal is to bring the largely invisible practice of online tracking more into the light.”

Over time, that kind of public shaming could put pressure on corporate practices. Maybe.

Second: The Federal Trade Commission has limited power to craft strong new privacy rules, but it can certainly force companies to abide by what they say they’re going to do.

This is largely how Google ended up forking over $22.5 million last year, to settle charges that it “misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking ‘cookies’ or serve targeted ads to those users,” according to the FTC.

“It’s not without potential teeth,” said John Simpson of Consumer Watchdog, a member of the W3C working group. “If somebody says they’re honoring do not track and don’t, then they’re in trouble.”

Privacy researcher Jonathan Mayer sees wide loopholes in AB 370.

Third: Jonathan Mayer, a privacy researcher who recently resigned from the W3C talks, wrote a detailed analysis of AB 370 (which is worth reading in full) that notes the bill slips in a definition of do not track.

“The definition is vague, to be sure, and would need clarification through policy statements, enforcement, and adjudication,” he said. “But, crucially, the definition is a matter of California law. It does not depend on the W3C’s efforts.”

In in an email interview, he stressed that this could lay critical groundwork for future legislation.

“Imagine, for example, a follow up bill that requires a website to stop tracking if it receives” a do not track request, he wrote. “The key terms would already be defined. It would just be a shift from transparency (i.e. you must disclose X practices) to substance (i.e. you must stop X practices).”

At the same time, Mayer’s post stresses that the bill leaves gigantic definitional holes that could allow companies to claim they aren’t bound by the law. He imagines many of the open questions will ultimately require court battles to sort out.

To be sure, it’s a shame that AB 370 is all our officials are reaching for, but it also seems to be a clear reflection of current political realities.

The online and ad industries aren’t about to voluntarily agree to any restrictions on their business models in the W3C talks without the credible fear that a substantive law or strict regulations would demand even more. But so far, the Obama Administration, Congress and even the California legislature have failed to convincingly telegraph any such threat.

It seems the votes simply aren’t there to take on industries with substantial political clout and lobbying budgets. An earlier California do not track bill with sharp teeth suffered a quick death back in 2011.

What’s critical is to consider AB 370 as an incremental step in the right direction — and for our officials to portray it as precisely that, and not some bold final victory. It’s the only way to keep the pressure on, and the industry on its toes.